BREAKING THE KILL CHAIN AN EARLY WARNING SYSTEM FOR ADVANCED THREAT Rashmi Knowles RSA, The Security Division of EMC Session ID: Session Classification: SPO-W07 Intermediate
APT1 maintained access to victim networks for an average of 356 days. The longest time period APT1 maintained access to a victim s network was 1,764 days, or four years and ten months. Source Mandiant APT1 Report Feb 2013
Characteristics of Security Maturity RISK VISIBILITY COLLABORATION Step 1: Threat Defense Step 2: Compliance and Defense-in- Depth Step 3: Risk-Based Security Step 4: Business-Oriented
Information Security Maturity Model
Security is becoming a Big Data problem More determined adversary means more data needed to identify attacks More complex IT environment means even simple attacks can hide in plain sight Security professionals are struggling to keep up 1 40% of all survey respondents are overwhelmed with the security data they already collect 35% have insufficient time or expertise to analyze what they collect 1 EMA, The Rise of Data-Driven Security, Crawford, Aug 2012 Sample Size = 200
Advanced Threats are Different 1 TARGETED SPECIFIC OBJECTIVE 2 INTERACTIVE HUMAN INVOLVEMENT 3 STEALTHY LOW AND SLOW System Intrusion Attack Begins Cover-Up Discovery Leap Frog Attacks Cover-Up Complete TIME Dwell Time Response Time Attack Identified Response 1 Decrease Dwell Time 2 Speed Response Time
KNOW YOUR ENEMY What are the common threat vectors? What exploits are commonly used? Threat research groups and vendors Threat teams from competitors Industry working groups
KNOW YOUR PEOPLE Who has enhanced access? Security policy that covers common attack scenarios? Who are my likely targets? Am I continuously tracking employees that have been compromised? Is there a privacy issue?
KNOW YOUR NETWORK The ability to pervasively know what your network looks like on a day-to-day basis is critical in helping to identify advanced threats
THE KILL CHAIN Lockheed Martin methodology Seven steps Guides analysis to actionable intelligence Recon Weapon Deliver Exploit Install C2 Action
ORGANISATIONS MUST GET CREATIVE Focus on early detection of breaches to minimize your window of vulnerability. Move backward in the Kill chain The key is actively preserving, aggregating and reviewing data to detect a potential intrusion but also for post-event forensics. Recon Weapon Deliver Exploit Install C2 Action
SINGLE EVENT MENTALITY Recon Weapon Deliver Exploit Install C2 Action Recon Weapon Deliver Exploit Install C2 Action
INVESTIGATION TODAY... Attacker Surveillance Target Analysis Access Probe Attack Set-up System Intrusion Attack Begins Cover-up Starts Discovery/ Persistence Leap Frog Attacks Complete Cover-up Complete Maintain foothold TIME Transactions Information Infrastructure Traffic Identity Are we seeing suspicious transactions against sensitive/high value apps/assets What kind of data does this system store, transmit, process? Is this a regulatory issue? High value IP? Has the server been manipulated? Is it vulnerable? Has its config changed recently? Is it compliant with policy? Are there traffic anomalies to/from these servers Protocol Distribution Encryption Suspicious destinations Which users were logged onto them Have their priv. been escalated? Where did they log in What else did they touch? Sources Sources Sources Sources Sources WFD Transaction Monitoring SIEM SQL server logs DLP Data Classification GRC GRC System Config Mgmt Vul. Mgmt Netflow Network Forensics Web Proxy Logs SIEM Active Directory Netflow Server Logs Asset Management SIEM
PERVASIVE VISIBILITY You must be able to see everything Full network packet capture Identifying Malware Tracking attackers activities inside the environment Presenting proof of illicit activity
DEEPER ANALYTICS Combine disparate data Behaviour patterns and risk factors Value of assets vs. risk Eliminate known good activities Should not replace human judgement
MASSIVE SCALABILITY Volume and speed of data Internal and external feeds Analytics engine to normalise data Distributed storage architecture
UNIFIED VIEW Automated processes Correlated information Speeds up decision making Compliance becomes a by-product
CUSTOMER MATURITY MODEL Advanced Threats Become the Major Spend Driver as Customers Mature Security Level 1 Naïve/Cost-based Security Level 2 Compliance-driven Security Level 3 IT risk-driven Security Level 4 Business risk-driven Approach Security is necessary evil Check-box mentality Proactive and assessmentbased Security fully embedded in enterprise processes Reactive and decentralized monitoring Implement security and collect data to be compliant Assess risks and detect threats for organization as a whole Assess business risks to drive security implementation Technology Tactical threat defenses Tactical threat defenses enhanced with tracking and reporting tools Security tools integrated with common data and management platform Security tools integrated with business tools e.g. egrc Regulatory Environment New leadership Security breaches; customer demand
DETECTION AND RESPONSE Cyber Threat Intelligence Advanced Tools, Tactics & Analysis Critical Incident Response Team Open/All Source Actor Attribution Attack Sensing & Warning Social Media High Value Target (HVT) Reverse Malware Engineering Host & Network Forensic Cause & Origin Determination Email operations Eyes-on-Glass End User Intake Event Triage Incident Containment 24x7 Coverage Content Analytics Team Integration Content Development Reporting Alert and Rule Creation Reporting Integration Alert and Rule Creation Content Development Recon Weapon Deliver Exploit Install C2 Action
BREAKING THE KILL CHAIN Recommendations Focus on Risk, Context and Agility Reduce dwell time Move back in the Kill Chain Continuous monitoring see everything! Implement automation
The art of war teaches us to rely not on the likelihood of the enemy's not coming, but on our own readiness to receive him. - Sun Tzu, The Art of War
Thank you! Rashmi Knowles RSA, The Security Division of EMC @knowlesrashmi Rashmi.knowles@emc.com www.emc.com